rpms/aide
6
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 10.2 ERRATUM

Browse Source 
Modernize aide config file
Resolves: RHEL-39970
No path reference ends with '/'
Resolves: RHEL-39959
This commit is contained in:
Cropi 2025-09-25 10:41:36 +02:00
parent 1b48a1f056
commit 97ed5cb6cb
2 changed files with 279 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

403
aide.conf
View File

@ -14,20 +14,49 @@ database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Database attributes to include in report (H = all compiled hashsums, default)
database_attrs=H
# Add metadata to database (version info, timestamps)
database_add_metadata=yes
# Warn about unrestricted rules during config check (default: false)
config_check_warn_unrestricted_rules=false
# Number of workers for parallel processing (default: 1, can use percentage)
num_workers=1
# Default.
log_level=warning
report_level=changed_attributes
# Report format (plain or json)
report_format=plain
# Group files in report by added/removed/changed
report_grouped=yes
# Summarize changes in report
report_summarize_changes=yes
# Don't report if no differences found
report_quiet=no
# Report encoding (base64 is default, base16 available)
report_base16=no
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
#report_url=syslog:LOG_AUTH
# These are the default rules.
#
#ftype: file type
#fstype: file system type (Linux-only)
#p: permissions
#i: inode:
#i: inode
#l: link name (symbolic links only)
#n: number of links
#u: user
#g: group
@ -36,55 +65,78 @@ report_url=stdout
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#e2fsattrs: file attributes on Linux file system
#caps: file capabilities (Linux-only)
# Hashsums attributes (regular files only)
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#sha512_256: SHA-512 checksum truncated to 256 output bits
#sha3_256: SHA3-256 checksum (modern)
#sha3_512: SHA3-512 checksum (modern)
#stribog256: GOST R 34.11-2012, 256 bit
#stribog512: GOST R 34.11-2012, 512 bit
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
# DEPRECATED (will be removed in future versions):
#md5: md5 checksum (deprecated since v0.19)
#sha1: sha1 checksum (deprecated since v0.19)
#rmd160: rmd160 checksum (deprecated since v0.19)
#gost: gost checksum (deprecated since v0.19)
FIPSR = p+i+n+u+g+s+acl+selinux+xattrs+sha256
# REMOVED in AIDE v0.19:
#S: check for growing size (use 'growing+s' instead)
#tiger: tiger checksum (removed)
#haval: haval checksum (removed)
#crc32: crc32 checksum (removed)
#crc32b: crc32b checksum (removed)
#whirlpool: whirlpool checksum (removed)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# Special attributes for advanced use cases:
#I: ignore changed filename - detects moved files by inode
#growing: ignore growing file size/timestamps for logs
#compressed: ignore compression - compares uncompressed content
#ANF: allow new files - new files ignored in report
#ARF: allow removed files - missing files ignored in report
# Default groups in AIDE v0.19:
# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
# L = p+ftype+i+l+n+u+g+X
# > = Growing file p+ftype+l+u+g+i+n+s+growing+X
# H = all compiled in (and not deprecated) hashsums
# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in)
# E = Empty group
# Use 'aide --version' to list the default compound groups.
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
# Everything but access time (Ie. all changes) - updated with modern hashsums
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512
# Base + sha512 (strong)
NORMAL = R+sha512-m-c
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Content only - added file type and strong hash
CONTENT = ftype+sha512
# Access control only
PERMS = p+i+u+g+acl+selinux
# For directories, don't bother doing hashes - added file type and link name
DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = >
# Access control only - added file type and link name
PERMS = ftype+p+i+l+u+g+acl+selinux
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Logfiles are special, in that they often change due to log rotation
# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
# but we want to know when the data inside them changes - updated with modern hash
DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
# Next decide what directories/files you want in the database.
@ -93,124 +145,217 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
# Monitor /opt selectively to avoid noise from auto-updating applications
/opt CONTENT
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/root/.xauth*
/root NORMAL
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
# trusted databases
/etc/hosts$ NORMAL
/etc/host.conf$ NORMAL
/etc/hostname$ NORMAL
/etc/issue$ NORMAL
/etc/issue.net$ NORMAL
/etc/protocols$ NORMAL
/etc/services$ NORMAL
/etc/localtime$ NORMAL
/etc/alternatives NORMAL
/etc/mime.types$ NORMAL
/etc/terminfo NORMAL
/etc/exports$ NORMAL
/etc/fstab$ NORMAL
/etc/passwd$ NORMAL
/etc/group$ NORMAL
/etc/gshadow$ NORMAL
/etc/shadow$ NORMAL
/etc/subgid$ NORMAL
/etc/subuid$ NORMAL
/etc/skel NORMAL
/etc/sssd NORMAL
/etc/swid NORMAL
/etc/system-release-cpe$ NORMAL
/etc/tmux.conf$ NORMAL
/etc/xattr.conf$ NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
# networking
/etc/firewalld NORMAL
!/etc/NetworkManager/system-connections
/etc/NetworkManager NORMAL
/etc/networks$ NORMAL
/etc/dhcp NORMAL
/etc/wpa_supplicant NORMAL
/etc/resolv.conf$ DATAONLY
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# logins and accounts
/etc/login.defs$ NORMAL
/etc/libuser.conf$ NORMAL
/var/log/faillog$ PERMS
/var/log/lastlog$ PERMS
/var/run/faillock PERMS
/etc/pam.d NORMAL
/etc/security NORMAL
/etc/securetty$ NORMAL
/etc/polkit-1 NORMAL
/etc/sudo.conf$ NORMAL
/etc/sudoers$ NORMAL
/etc/sudoers.d NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
/etc/profile$ NORMAL
/etc/profile.d NORMAL
/etc/bashrc$ NORMAL
/etc/bash_completion.d NORMAL
/etc/zprofile$ NORMAL
/etc/zshrc$ NORMAL
/etc/zlogin$ NORMAL
/etc/zlogout$ NORMAL
/etc/X11 NORMAL
/etc/shells$ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/etc/dnf NORMAL
/etc/yum.repos.d NORMAL
# auditing
# AIDE produces an audit record, so this becomes perpetual motion.
/var/log/audit PERMS
/etc/audit NORMAL
/etc/libaudit.conf$ NORMAL
/etc/aide.conf$ NORMAL
# System logs with proper logrotate handling
/etc/rsyslog.conf$ NORMAL
/etc/rsyslog.d NORMAL
/etc/logrotate.conf$ NORMAL
/etc/logrotate.d NORMAL
/etc/systemd/journald.conf$ NORMAL
# Log directory
/var/log LOG
# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes
/var/log/journal LOG-xattrs
/var/log LOG
/var/run/utmp LOG
# secrets
/etc/pkcs11 NORMAL
/etc/pki NORMAL
/etc/ssl NORMAL
/etc/certmonger NORMAL
/var/lib/systemd/random-seed$ PERMS
# init system
/etc/systemd NORMAL
/etc/sysconfig NORMAL
/etc/rc.d NORMAL
/etc/tmpfiles.d NORMAL
/etc/machine-id$ NORMAL
# boot config
/etc/default NORMAL
/etc/grub.d NORMAL
/etc/grub2.cfg$ NORMAL
/etc/dracut.conf$ NORMAL
/etc/dracut.conf.d NORMAL
# glibc linker
/etc/ld.so.cache$ NORMAL
/etc/ld.so.conf$ NORMAL
/etc/ld.so.conf.d NORMAL
/etc/ld.so.preload$ NORMAL
# kernel config
/etc/sysctl.conf$ NORMAL
/etc/sysctl.d NORMAL
/etc/modprobe.d NORMAL
/etc/modules-load.d NORMAL
/etc/depmod.d NORMAL
/etc/udev NORMAL
/etc/crypttab$ NORMAL
#### Daemons ####
# cron jobs
/var/spool/at CONTENT
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/etc/anacrontab$ NORMAL
/etc/cron.allow$ NORMAL
/etc/cron.deny$ NORMAL
/etc/cron.d NORMAL
/etc/cron.daily NORMAL
/etc/cron.hourly NORMAL
/etc/cron.monthly NORMAL
/etc/cron.weekly NORMAL
/etc/crontab$ NORMAL
/var/spool/cron/root CONTENT
# time keeping
/etc/chrony.conf$ NORMAL
/etc/chrony.keys$ NORMAL
# mail
/etc/aliases$ NORMAL
/etc/aliases.db$ NORMAL
/etc/postfix NORMAL
# ssh
/etc/ssh/sshd_config$ NORMAL
/etc/ssh/ssh_config$ NORMAL
# stunnel
/etc/stunnel NORMAL
# ftp
/etc/vsftpd CONTENT
# printing
/etc/cups NORMAL
/etc/cupshelpers NORMAL
/etc/avahi NORMAL
# web server
/etc/httpd NORMAL
# dns
/etc/named NORMAL
/etc/named.conf$ NORMAL
/etc/named.iscdlv.key$ NORMAL
/etc/named.rfc1912.zones$ NORMAL
/etc/named.root.key$ NORMAL
# xinetd
/etc/xinetd.conf$ NORMAL
/etc/xinetd.d NORMAL
# IPsec
/etc/ipsec.conf$ NORMAL
/etc/ipsec.secrets$ NORMAL
/etc/ipsec.d NORMAL
# USBGuard
/etc/usbguard NORMAL
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
@ -218,8 +363,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
#=/home DIR
# Ditto /var/log/sa reason...
!/boot/grub2/grubenv
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/var/log/httpd

8
aide.spec
View File

@ -1,7 +1,7 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.19.2
Release: 1%{?dist}
Release: 2%{?dist}
URL: https://github.com/aide/aide
License: GPL-2.0-or-later
Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
@ -79,6 +79,12 @@ install -Dpm0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/aide.conf
%{_tmpfilesdir}/aide.conf
%changelog
* Thu Sep 25 2025 Attila Lakatos <alakatos@redhat.com> - 0.19.2-2
- Modernize aide config file
Resolves: RHEL-39970
- No path reference ends with '/'
Resolves: RHEL-39959
* Tue Aug 05 2025 Attila Lakatos <alakatos@redhat.com> - 0.19.2-1
- rebase to 0.19.2
Resolves: RHEL-110572